b'NATIONAL CREDIT UNION ADMINISTRATION\n    OFFICE OF INSPECTOR GENERAL\n\n\n               OIG REPORT TO OMB ON THE\n         NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\n                  COMPLIANCE WITH THE\n             FEDERAL INFORMATION SECURITY\n                   MANAGEMENT ACT\n                         2005\n\n\n         Report #OIG-05-08           September 30, 2005\n\n\n\n\n                         William A. DeSarno\n                         Inspector General\n\n\n    Released by:                       Auditor-in-Charge:\n\n\n\n    James Hagen                       Tammy F. Rapp, CPA, CISA\n    Asst IG for Audits                Sr Information Technology Auditor\n\x0c                OIG REPORT TO OMB ON THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\n                  COMPLIANCE WITH THE FEDERAL INFORMATION SECURITY ACT - 2005\n                                       Report #OIG-05-08\n\n                                            CONTENTS\n\n Section                                                                               Page\n\n     I        EXECUTIVE SUMMARY                                                         i\n\n     II       Office of Management & Budget Report Format                               1\n\nAppendix\n\n    A         Independent Evaluation of the NCUA Information Security Program \xe2\x80\x93 2005\n\n    B         NCUA Financial Statement Audits \xe2\x80\x93 FY2004 (excerpt)\n\n\n\n\nAppendices are limited to restricted official use only.\n\x0c                OIG REPORT TO OMB ON THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\n                  COMPLIANCE WITH THE FEDERAL INFORMATION SECURITY ACT - 2005\n                                       Report #OIG-05-08\n\n\n                               I. EXECUTIVE SUMMARY\nThe Office of Inspector General (OIG) for the National Credit Union Administration (NCUA)\nengaged Cotton & Company LLP to conduct an independent evaluation of its information\nsystems and security program and controls for compliance with the Federal Information Security\nManagement Act (FISMA), Title III of the E-Government Act of 2002.\n\nCotton & Company evaluated NCUA\xe2\x80\x99s security program through interviews, documentation\nreviews, technical configuration reviews, social engineering testing, and sample testing. We\nevaluated NCUA against standards and requirements for federal government agencies such as\nthose provided through FISMA, National Institute of Standards and Technology (NIST) Special\nPublications (SPs), and Office of Management and Budget (OMB) memorandums. We\nscheduled an exit conference with NCUA officials on October 3, 2005, to discuss evaluation\nresults, but the OCIO respectfully declined.\n\nOur work identified two issues that can be classified as significant deficiencies in NCUA\xe2\x80\x99s\nsecurity structure. OMB defined a significant deficiency for FISMA reporting purposes in its 2004\nreporting guidance (OMB M-04-25):\n\n       Significant Deficiency \xe2\x80\x93 is a weakness in an agency\xe2\x80\x99s overall information systems\n       security program or management control structure, or within one or more\n       information systems, that significantly restricts the capability of the agency to carry\n       out its mission or compromises the security of its information, information\n       systems, personnel, or other resources, operations, or assets. In this context, the\n       risk is great enough that the agency head and outside agencies must be notified\n       and immediate or near-immediate corrective action must be taken.\n\nWhile the Chief Information Officer (CIO) has initiated projects to address these issues, both of\nthe significant deficiencies concerning NCUA\xe2\x80\x99s security program remain open and are being\nreported for the third consecutive year.\n\nFirst, this year and in prior-year reviews we noted several weaknesses related to NCUA\xe2\x80\x99s\nGeneral Support System (GSS) Certification and Accreditation (C&A) and its technical\ncomponents. This is significant, because every major application relies on the security of the\noperating system and network infrastructure on which it resides. Prevention of unauthorized\naccess is necessary to ensure infrastructure security. NCUA\xe2\x80\x99s general support system\ncontinues to operate under an interim accreditation based on several weaknesses identified\nduring the formal certification process in 2004.\n\nIn response to this issue, the CIO has initiated a project to make major changes to the GSS and\nupgrade a number of its components. As of the end date of our fieldwork, the GSS is still\nundergoing the change process, and the C&A of the new GSS had not been completed. The\nCIO has, however, brought in an experienced contractor to assist with the C&A activities and\nensure that they meet requirements of NIST SP 800-37, Guide for the Security Certification and\nAccreditation of Federal Information Systems, and other federal guidance. This issue remains\nopen and has been expanded to include other weaknesses in the overall C&A process used to\nreview all major systems. This weakness represents a significant deficiency in NCUA\xe2\x80\x99s security\nprogram.\n\n\n\n\n                                                 i\n\x0c                OIG REPORT TO OMB ON THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\n                  COMPLIANCE WITH THE FEDERAL INFORMATION SECURITY ACT - 2005\n                                       Report #OIG-05-08\n\nSecond, we determined during prior reviews that information stored on examiners\xe2\x80\x99 laptop\ncomputers had not been addressed as part of NCUA\xe2\x80\x99s information security program. The OCIO\nrecently upgraded the examination application which includes requiring all examination data\nstored on laptops to be encrypted. When completed, this project will represent an improvement\nin the protection of sensitive data. Training and implementation for this project will not be\ncompleted until November 1, 2005. Therefore, we were not able to test the effectiveness of the\nprogram as part of the 2005 review.\n\nWe also noted other weaknesses in IT security controls that did not rise to the level of significant\ndeficiencies:\n\n       \xe2\x80\xa2       NCUA has not conducted adequate security control testing of all major\n               information systems on an annual basis.\n\n       \xe2\x80\xa2       Continuity of Operations Plan (COOP) and IT Disaster Recovery procedures do\n               not reflect the current environment and have not been tested in 2005.\n\n       \xe2\x80\xa2       NCUA has not developed policies and procedures for monitoring the security of\n               outsourced systems.\n\n       \xe2\x80\xa2       NCUA does not have a system inventory for all major information systems.\n\n       \xe2\x80\xa2       NCUA has not completed the e-authentication risk assessment for major\n               systems.\n\n       \xe2\x80\xa2       NCUA has not documented policies and procedures guiding the process for\n               managing the Plan of Action and Milestones (POA&M).\n\n       \xe2\x80\xa2       NCUA does not have a configuration management plan that covers all agency\n               systems and has not developed a minimum security baseline configuration for\n               any of its systems or platforms.\n\n       \xe2\x80\xa2       NCUA has not provided security awareness training to employees in 2005.\n\n       \xe2\x80\xa2       NCUA has not conducted privacy impact assessments for any major information\n               systems.\n\nWe concluded that these two significant deficiencies remain open after 3 years and other\nsecurity issues exist, because OCIO management had not created a tone at the top that\nemphasizes both external perimeter and internal security and security-related activities.\nManagement has placed its focus on external security issues, and internal security has not been\nmade a priority. Management has not dedicated the resources to completing C&As and other\nsecurity assessments in accordance with FISMA, NIST, and OMB guidance. We encourage\nNCUA\xe2\x80\x99s Executive Director, the Director of the Office of Examination and Insurance, and the\nCIO to address these issues as soon as possible.\n\n\n\n\n                                                 ii\n\x0c'